The Personal Information Protection Act (PIPA) in Alberta is a provincial privacy law that governs the collection, use, and disclosure of personal information by private-sector organizations. It aims to protect individuals’ personal information while allowing reasonable business activities to continue. Enforced by the Office of the Information and Privacy Commissioner of Alberta, the law has been in effect since January 1, 2004.
If your website uses cookies that track user behavior or collect identifiers like IP addresses, you are obligated to notify users and secure their consent before activating non-essential cookies. This includes implementing clear cookie banners and privacy policies that outline what data is collected and why.
To be compliant with PIPA Alberta, do the following:
Conduct an audit:
Perform a full audit of data collection and sharing practices and identify personal data collected and its purposes
Update privacy policy:
Review and update privacy and cookie policies with PIPA-specific disclosures.
Implement consent management:
Implement cookie consent banners and opt-out flows to automate consent capture and preference management
Ensure data minimization:
Limit data collection to what is necessary for legitimate business purposes
Ensure consumer rights:
Inform individuals about why and how their personal information is collected and used, and establish mechanisms to respond to consumer rights requests within 45 days
Perform Data Protection Assessments:
Safeguard privacy with regard to targeted advertising, data sales, profiling, or processing sensitive data.
PIPA Alberta applies to:
Private sector organizations operating in Alberta.
Non-profits and professional associations engaged in commercial activities.
Out-of-province businesses handling data of Alberta residents.
It does not apply to public bodies (governed by FOIP), or federal works and undertakings (covered under Canada’s federal PIPEDA law).
Under Alberta’s PIPA, consumers (individuals) have the following rights:
Consumers can know about data collection and its purposes.
Consumers must consent to the collection, use, and disclosure of personal information.
Consumers can access their own personal data held by an organization.
Consumers can rectify inaccurate or incomplete information.
Consumers can, at any time, withdraw consent, subject to legal or contractual limitations.
Consumers have the right to data protection, requiring organizations to implement appropriate safeguards.
Consumers can complain to the Office of the Information and Privacy Commissioner of Alberta.
Cookies that collect or use personal information such as device identifiers, location data, or browsing behavior fall under the scope of PIPA. This means:
You must disclose the use of such cookies in your privacy or cookie policy.
You need user consent before setting non-essential cookies.
Users should have the option to withdraw or manage their cookie preferences at any time.
Failure to comply with PIPA Alberta can lead to:
Mandatory orders to change your data handling practices.
Reputational damage due to published Commissioner findings.
Legal actions or fines, including penalties up to $100,000 for serious violations.
The Commissioner has broad authority to investigate complaints, audit organizations, and enforce compliance.
To check your compliance with the PIPA Alberta, organizations should:
Audit:
Conduct a data audit to identify all cookies and trackers on their websites
Categorize:
Categorize cookies (e.g., necessary, preference, analytics, marketing)
Implement consent management:
Ensure consent banners are implemented correctly with granular choices, enable users to withdraw consent at any time, and maintain consent logs
Check third-party contracts
Review third-party data-sharing practices
PIPA Alberta applies to private sector organizations and non-profits engaged in commercial activities within the province.
Personal data includes any information that identifies or could identify an individual, such as names, addresses, email addresses, IP addresses, and demographic details.
While PIPA does not explicitly define “sensitive data,” health, financial, or biometric data is considered more sensitive and requires higher protection.
The Office of the Information and Privacy Commissioner of Alberta (OIPC AB) enforces the Act.
Public bodies, individuals collecting data for personal use, and federal organizations governed by Canada’s PIPEDA are exempt.
You can visit the OIPC Alberta website for legislation details, guidance, and tools.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
